OpenSSL security issue note (Heartbleed)
Apr 11th, 2014
A major vulnerability has been discovered in OpenSSL software which is used to securely connect using encrypted connection. It is estimated that 60% of servers run OpenSSL which makes it a huge issue.
Vulnerability affects server software but it may be possible under specific conditions to affect clients as well (e.g. man-in-the-middle attack).
OE Classic 2.0 has been updated today to include the bug-fixed version of OpenSSL libraries. Although the attack of this kind is unlikely for client like OE Classic it is still highly recommended you update to the latest version 2.0 (issued today) which patches the problem. As for older versions, version 1.9 of OE Classic includes compromised libraries (v1.0.1f) so we highly recommend to update to version 2.0 as soon as possible. Version 1.8 uses older version of OpenSSL which has not been affected.
To fully protect yourself you need to modify your email password. This is especially important for users of Gmail, Yahoo Mail, Outlook.com or similar popular email services because they have likely been attacked already, and even though most of them have already been patched compromised passwords may still be out there so you need to change your email password.
The vulnerability is known by the name Heartbleed - TLS read overrun (CVE-2014-0160) if you may want to search more information on this issue.